Hi,
On Wed, Mar 20, 2013 at 2:52 PM, Bart van der Schans
<b.vanderschans@onehippo.com> wrote:
> Isn't the idea in jcr that if you are not allowed to read a node that
> you shouldn't be able to to deduce it's existence?
Yes. On the other hand you could argue that making a node at /foo/bar
readable to someone implicitly grants them knowledge about the
presence of a node at /foo, even if they don't necessarily have direct
read access to that node. A call like session.getNode("/foo") could
still fail.
> Yes of course. But if you can't read/see the intermediary node it's
> hard to detect this case in the session itself. The save will still
> fail of course although the user might not have a clue why.
The problem can be detected even by just looking at the paths being
moved. The failure of move("/A/B", "/A/B/C/D") should be fairly
obvious.
> 3. allow implicit read access to all parent nodes (for example by path
> discovery), but not allow read permissions to its' properties
I'd rather call this implicit execute (or traversal) access instead of
read access, since a call like session.getNode("/foo") on a
non-readable parent should still fail. Otherwise a read-access check
on a node might potentially have to look through the entire subtree
for a readable descendant.
BR,
Jukka Zitting